Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Warezov.sk
Email-Worm.Win32.Warezov.sk
| Detected | Oct 16 2007 10:34 GMT |
| Released | Oct 16 2007 10:34 GMT |
| Published | Oct 25 2007 16:25 GMT |
Payload
Removal instructions
Technical Details
This malicious program is a worm. It is a Windows PE EXE file. It is 124928 bytes in size. It is packed using UPX. The unpacked file is approximately 153KB in size.
Installation
When launched, the worm creates the following files:
%System%\rasppowr.dll %System%\rasppowr.exe %System%\rasppowr.z1 %System%\rasppowr.dat
The worm also creates the following system registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rasppowr] "DllName" = "%System%\rasppowr.dll" "Startup" = "WlxStartupEvent" "Shutdown" = "WlxShutdownEvent" "Impersonate" = dword:00000000 "Asynchronous" = dword:00000000
Propagation
This malicious program spreads via ICQ. It sends messages containing the following text: "Check this:" or "My party pics:". A link to the executable file of the latest variant of Warezov follows the text.
If the user opens the link in the web browser, s/he will be asked if s/he wants to download a file called “photo.pif”. When this file is launched, the worm will be installed to the victim machine.
Payload
The worm disables the antivirus and firewall solutions listed below:
Sygate Personal Firewall Symantec Internet Security Agnitum Outpost Firewall McAfee.com Personal Firewall Kerio WinRoute
The worm is also able to download other malicious programs from the remote malicious user’s sites, and launch them for execution on the victim machine.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the worm process (it may be called "rasppowr.exe").
- Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following files:
%System%\rasppowr.dll %System%\rasppowr.exe %System%\rasppowr.z1 %System%\rasppowr.dat
- Delete the following system registry keys: (see What is a system registry and how do I use it for details on how to edit the registry).
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rasppowr]
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Virus:
W32/Stration. gen@MM (McAfee) - W32/Strati-Gen (Sophos)
- W32/Spamta.
QO. worm (Panda) - W32/KillAV.
gen1 (FPROT) - Trojan:
Win32/Stration. F!dll (MS(OneCare)) - Win32.
HLLM. Limar. 2174 (DrWeb) - Win32/Stration.
AAL worm (Nod32) - DeepScan:
Generic. Stration. 7D69E8BF (BitDef7) - Trojan.
Opnis. Gen. 39 (VirusBuster) - Win32:
Warezov-CLA [Wrm] (AVAST) - Win32.
Warezov (Ikarus) - I-Worm/Stration.
IFB (AVG) - WORM/Stration.
Gen (AVIRA) - W32.
Stration. CX@mm (NAV) - W32/Stration.
JXZ (Norman) - W32/Stration.
gen@MM (NAI) - Possible_Strat-6 (PCCIL)
- Worm.
Mail. Warezov. ji (Rising) - Email-Worm.
Win32. Warezov. sk [AVP] (FSecure) - Trojan.
Win32. Generic!BT (Sunbelt) - Trojan.
Opnis. Gen. 39 (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.